This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

defining custom authorities...

Dec 20th, 2004, 04:32 PM

This is probably a newbie question, but I can't seem to figure out how to define my own names for granted authorities. In the following bean definition, where does the role name ROLE_USER come from? Is there a predefined list of possible roles somewhere? I tried replacing it with just 'user', but my webapp wouldn't even deploy.

Your AuthenticationManager is responsible for defining the Authentication, which includes the GrantedAuthority[]s.

Most people use DaoAuthenticationProvider, which delegates to an AuthenticationDao. The latter populates a UserDetails object (typically User) which contains the granted authorities.

Alternatively, you can use the in-memory AuthenticationDao or the JdbcDaoImpl. The former obtains the granted authorities from the IoC container (as typically defined in the XML file), and the latter from a dedicated database table.

Comment

Thanks Ben. I think you may have misunderstood my question though. I've implmented my AuthenticationDao, and it works fine. I'm trying to understand why my role names have to be converted to "ROLE_" + role.toUpperCase() as in the following example:

Comment

Typically an AccessDecisionVoter will look for specific configuration attributes, so it knows when to fire. Thus if you've got a RoleVoter and say a BasicAclEntryVoter, both won't vote on exactly the same access decision.

By default RoleVoter only votes on configuration attributes starting with ROLE_ (case sensitive). You can call its setRolePrefix(String rolePrefix) method with an empty String to cause it to vote on every configuration attribute, thus matching your database. Although if it were me I'd probably change my AuthenticationDao to prepend ROLE_ to each GrantedAuthority, thus allowing different voters to distinguish and retaining the default behaviour and configuration of the security framework as much as possible.